When I was a CTO running a data center, I used to ask my ops team to do the shotgun test. They had to imagine our worst enemy came into the data center with a shotgun with one slug. What could they destroy to do the most damage? (I didn’t realize until recently that this was a modified version of Netflix’s Chaos Monkey testing approach.)
Lately I’ve wondered what the cybersecurity equivalent of the shotgun test is. How could you even do such a test? The fact is, without an understanding of your weaknesses, it isn’t possible to see what your worst enemy would do to you.
Creating a balanced security portfolio
I recently wrote a series of articles analyzing how companies spend (and misspend) their security portfolio dollars. I’ve likened the security portfolio to an investment portfolio, in which it’s wiser to spread your investments around, across industries and savings vehicles, to ensure you have a stable strategy. And just as your personal investment strategy changes over time (going from being exposed to more risk to more conservative positions), your cybersecurity portfolio needs to adapt to meet the ever-evolving landscape of cyber threats.
In those articles, I outlined steps I think every company should undertake to create a balanced cybersecurity profile. I referenced the NIST Cybersecurity Framework, which outlines five capabilities companies must consider when creating their portfolio: 1) identify; 2) protect; 3) detect; 4) respond; and 5) recover.
For this new series, I spoke to a number of executives from leading cybersecurity firms. They offered their insights on how to construct a strong portfolio and provided a sense of how their products fit into the larger NIST framework.
Productizing the shotgun test
As I’ve understood more about how top notch security can be implemented in a balanced portfolio, it occurred to me that Tenable, one of the companies that I interviewed, essentially productized the shotgun test. Tenable’s products scan your network and computing infrastructure for vulnerabilities and misconfigurations. They detect, identify and fingerprint every networked device and provide you with the data and context needed to determine what your worst enemy would do. In my data centers in the past, I had to imagine my worst enemy. In the modern security landscape, everyone has their worst enemies after them all the time. To explore what role vulnerability scanning can play in a balanced security portfolio, I sat down with Amit Yoran, Tenable’s chairman and CEO.
Amit Yoran, CEO of Tenable
TenableAn ounce of prevention is worth a pound of remediation
Tenable offers both an award winning on-premises solution and, as of 2017, a cloud-based security platform known as Tenable.io, both of which fall on the identify, protect and detect side of the NIST framework. The visibility provided by Tenable would allow you to do a version of the shotgun test and identify where your worst enemy would attack.
In speaking with Yoran, I got a clear sense that he believes successful enterprise security comes not from what might seem the sexiest, but as he described it, “doing the blocking and tackling right.” He emphasized that companies will fail at security if they don’t do the essential things like establish good system hygiene and have quality self-awareness about what their most important assets are, where they’re located and how they’re protected.
“An ounce of prevention is worth a pound of remediation and response,” he said.
Tenable’s objective is to provide companies with a high level of visibility into potential vulnerabilities in their systems and networks. As I wrote in my earlier series, transparency is vital to good cybersecurity. So too are analytics that let you know what’s being threatened and how well systems and defenses are performing.
Cyber risk equals business risk
“Boards are increasingly worried about cybersecurity these days because now cyber risk equals business risk,” said Yoran. “That means even more is expected from the CISO, who must now not only understand the overall security posture of an enterprise IT environment, but must also be able to speak the language of business and report that status up through the business.”
According to Yoran, Tenable’s foundational security technology is its Nessus vulnerability scanner. Tenable also offers passive scanning, continuous monitoring, agent-based scanning, cloud auditing for AWS, Azure and Google, and has announced new web application and container scanning and monitoring capabilities coming later this year. Yoran emphasized it’s the combination of these technologies that truly helps a company understand and reduce its cyber risk.
“Balance doesn’t come from any single product working in isolation,” said Yoran. “You need a technology ecosystem, an open and integrated security stack. Yes, vulnerability management is a cornerstone, but there are other things you need too, such as strong encryption, identity management, authentication, and intrusion monitoring.”
With Tenable, companies get insight through analytical dashboards that offer significant visibility into their networks and areas where their systems are exposed. This visibility enables companies to focus on what matters most to reduce the cyber attack surface.
Answering the questions CISOs are asking
“We’re able to answer the most foundational questions CIOs and CISOs are asking. They ask, ‘In this new world order of cloud, IoT and DevOps, what is my actual IT footprint? How is that attack surface exposed? How does that exposure impact the business? And how can I efficiently manage and reduce my risk?’” Yoran said.
He agreed with my assessment that good security is not about having a single product or investment – companies need a comprehensive portfolio approach customized to their individual needs. “People have been under this assumption that if they invested in protection, nothing bad would happen. That’s not reality. You have to have a portfolio approach,” he said.
Mapping it all: Network, cloud, containers, IoT
As I’ve heard from other security leaders, visibility should play a crucial role in your cybersecurity approach so that you are not operating blindly when combating threats. Companies should consider adopting a command and control center, something like the nervous system for the body, so that information about their systems comes to a central location and decisions can then radiate coherently from that nexus.
Tenable offers businesses the ability to build such a command center. “We’ll map your environment out for you. And I don’t mean map your network out. Your cloud, your containers, your entire enterprise computing environment: we’ll map out the asset base and its level of exposure,” Yoran said. “Systems that aren’t patched, systems that are misconfigured, unknown or unauthorized IoT devices — we can help you know how you’re exposed and the number one thing you can do right now to improve security for the whole organization.”
Finding the dark 7 percent
Why is this so important? Yoran made the point that most companies operate in the dark when it comes to defending against and responding to threats.
“A company may have visibility into 93 percent of their compute environment, but the other 7 percent is just dark,” he said. “Think about that for a second and you’ll begin to realize the scope of the challenge we face. As a CIO you need a definitive, metrics-based view of your security posture. You need to know what your risk level looks like and where the gaps are in your security portfolio. But there’s that dark 7 percent that may as well not even exist from a security standpoint.”
He pointed out that the breadth of security visibility is foundational in a world in which more and more business is moving to the cloud. “The technology base of companies is radically changing. In your enterprise environment, you not only have traditional compute stuff, but now with the Internet of Things, you’ve got the light systems, the thermostats, webcams, smart TVs, phones,” he said. “You have to understand the risks these things pose. The move to the cloud is incredibly important because exposure and risk exist in the cloud too.”
As numerous recent high-profile hacks have reminded us, ignoring cyber fundamentals is one of the biggest risks to an organization. You’ve got to know your entire environment, assess your exposure and how it impacts your business, patch regularly, manage user access and credentials, educate employees and constantly look for malicious activity if you truly want to reduce your attack surface. Having a security platform that helps you identify the dark 7 percent can go a long way to making your business more secure.
